2024-03-08 - Modern Stateless Authentication - Chewing the Fat 📈

[Dhruv-0987]

Hey SSW'ers,

Let's talk about stateless authentication.

https://www.ssw.com.au/rules/modern-stateless-authentication/

[leahy268]

Interesting topic. I understood a fair bit if how that all worked before today. Nice way to clear the whole story up though.

[matt-goldman]

Great topic, looking forward to diving into it more. The CTF form took a bit of an incoherent turn toward IdentityServer. I understand the link but this wasn't clear.

For anyone wondering - Duende IdentityServer (formerly just IdentityServer but it's now a commercial product) is an OIDC implementation in .NET. It builds upon ASP.NET Core technology, which already handles things like user stores and session based auth, to provide JWT auth. It handles issuing and validating JWTs and everything that goes with it.

At SSW, we have implemented Duende IdentityServer as our central Single Sign-On (SSO) identity provider (IDP). SSO means using the same identity to sign in to multiple applications. How this ties to this week's CTF is that we can now use a single identity (think the same UN+PW combo) to sign in to all SSW applications (this is WIP as you've seen from various SSW all emails), using modern stateless auth with JWTs.

Sorry for the big mansplain, just thought it wasn't clear in the form, especially for non-devs or those who haven't worked with auth.

[brydeno]

And what a nice improvement to both security and user experience changing to SSO has been.

[2fernandez]

nice video.

[matt-goldman]

Seen a couple of videos from this guy recently. They are very good.

[drwharris]

Great video. I am dealing with the issue of refresh tokens and the problems around their "Long livedness", lack of standard related to the use of refresh tokens and protecting form MITM attacks. IdentityServer and Auth0 give you mechanisms for dealing with it but B2C does not.

[Levijj22]

Interesting topic, he does a great job explaining it!

[joshbermanssw]

Havent delved too much into security before, i found the video quite informative (have been seeing alot of ByteByteGo recently). I found that the video and questions also sparked personal investigation into a few of the topics mentioned this week in CTF, a style i like!

[tkapa]

I've previously implemented IdentityServer as a junior dev (Mistake) but in the process, learned a ton about this process and how it works. Good to know I still understand it, for the most part.

[bettybondoc]

As a visual learner, I find ByteByteGo's videos especially appealing. Their clear, succinct explanations combined with engaging animated graphics make every video highly effective. My uni professors tried (and failed) so hard to explain this week's and last week's topics to me but this guy did it in 5 minutes. LOL

[cvionnet]

An important topic that can be tough to swallow, but the video and rules help to understand it better.
Having the pros and cons on each solution facilitates the process of selecting the best solution.
The video and rule are excellent!

[AlexRothwell]

This was a great topic to cover, it's an important concept to understand for any developer working on web applications

[duanxinhuan]

good to revisit what I have learned on 2FA

[TobyChurches]

This was a great CTF, really enjoyed the content and video! Authentication is yet another topic that wasn't taught well at Uni! Id love to see more of these Auth videos

[jeoffreyfischer]

Great topic, I never heard of JWT before - the whole process is still a bit abstract but I'll dig more into it!

[AntPolkanov]

I like when CTFs discuss a well-known topic and make it clearer or a topic which you knew long time ago and already forgot.

[andrewwaltosssw]

JWT is a great idea provided that all the security considerations are taken into account and risks mitigated. I like how you can add your own custom claims in your auth provider which can be used as information client-side.
I had some experience using this system, but the video does a great job of explaining details and the overall flow. There is still plenty to deep dive into on this topic.

[tombui99]

Great video, it's good for the devs to refresh their knowledge once in a while.

[KristenHu]

Great video, explain JWT clearly, I like this author👍

[jimmidier]

Great video and a well written rule!

[synnoveisabel]

Interesting and important topic, the video and rule gave a good explanation

[tomek-i]

Good topic and video. It would have been great to combine it with session based auth to illustrate the differences between them

[steven0x51]

Great vido, have a better insight of JWT

[jackreimers]

Very informative rule and video. It's very important to understand these concepts so we can build safe and secure applications.

[tino-liu]

Very informative. I know that JWT is encoded but never thought about how to use it safely and securely. This video gave a good explanation.

[PothieuG]

Thanks for the reminder !
Always good see how JWT works with greats images/graphics !

[Freego1783]

Important topic!

I haven't really worked on the security aspect of applications, but I am familiar with the basic principles. I should delve into it more!

[camillars]

Interesting video - the visuals make it easier to understand the concept.

[Calinator444]

Interesting video.

Although if the header of a JWT describes the encryption algorithm used but the payload doesn't need to be encrypted what does the header describe when the payload isn't encrypted?

[matt-goldman]

This is a really good question! It's actually the signing algorithm, not the encryption algorithm (although technically the same, it's used in a JWT to sign rather than encrypt)/

[christoment]

Good topic for people to learn stateless authentication 😀

[vladislav-kir]

Great topic that refreshed my memory on JWT tokens.

[PennyWalker]

I really like the style of this guys videos, they are so easy to understand and the animations are really helpful. I learned a lot.